Skip Navigation

Configure certificate-based console authentication

You can set up certificate-based authentication in an on-premises envorinment so that administrators and users can log in using an authentication certificate. 
BlackBerry UEM
 verifies certificates against the issuer, verifies that the certificate is valid using the certificate OCSP or CRL settings, and verifies that the certificate matches a user in the 
BlackBerry UEM
 database.
This feature is not supported by 
BlackBerry UEM Cloud
Obtain copies of the CA certificates that issue your administrators' and users' client certificates in .cer or .der format. 
  1. On the menu bar, click 
    Settings
     > 
    General settings
     > 
    Certificate-based console authentication
    .
  2. Select 
    Enable certificate-based authentication
    .
  3. Click 
    Browse
     and navigate to the location where you saved the CA certificate files. Select a file and click 
    Open
     to upload the certificate to 
    BlackBerry UEM
    .  
    BlackBerry UEM
     trusts all certificates issued by that CA. Repeat this step to upload additional certificates.
  4. Select 
    Check for user principal name for SAN
     to require 
    BlackBerry UEM
     to verify that the user principal name in the certificate matches a user in the 
    BlackBerry UEM
     database.
    If the user principal name in the certificate matches a known user, 
    BlackBerry UEM
     grants access according to the user's permissions.
  5. Select 
    Check for email address
     to require 
    BlackBerry UEM
     to verify that the user email address in the certificate matches a user email address in the 
    BlackBerry UEM
     database.
    If the user email address in the certificate matches a known user, 
    BlackBerry UEM
     grants access according to the user's permissions. If you select both 
    Check for user principal name for SAN
     and 
    Check for email address
    BlackBerry UEM
     checks the principal name before the email address and grants access if the principal name matches. If neither check finds a match between the certificate and a known user, 
    BlackBerry UEM
     denies access.
  6. Click 
    Save
    .
If users access 
BlackBerry UEM
 using 
Mozilla Firefox
, the user must add their client certificate to the 
Firefox
 certificate store to authenticate with 
BlackBerry UEM
 using certificate-based authentication.